DECOMPOSITIONS OF GRAPHS OF FUNCTIONS 
AND FAST ITERATIONS OF LOOKUP TABLES 

BOAZ TSABAN 

Abstract. We show that every function / implemented as a 
lookup table can be implemented such that the computational 
complexity of evaluating f"^{x) is small, independently of m and 
X. The implementation only increases the storage space by a small 
constant factor. 



1. Introduction and Motivation 

According to Naor and Reingold [2], a function / : {0, . . . , — 1} ^ 
{0, . . . , — 1} is fast forward if for each natural number m which 
is polynomial in and each x = 0, ... — 1, the computational 
complexity of evaluating f"^{x) — the mth iterate of / at x — is small 
(polynomial in logA^). This is useful in simulations and cryptographic 
applications, and for the study of dynamic-theoretic properties of the 
function /. 

Originally this notion was studied in the context of pseudorandom- 
ness, where N is very large - see [21 El II]- Here we consider the re- 
mainder of the scale, where N is not too large, so that the function 
/ : {0, . . . , — 1} {0, . . . , — 1} is or can be implemented by a 
lookup table of size A^. Implementations as lookup tables are standard 
for several reasons, e.g., in the case where the evaluation f{x) is re- 
quired to be efficient, or in the case that / is a random function, so 
that / has no shorter definition than just specifying its values for all 
possible inputs. We describe a simple way to implement a given func- 
tion / such that it becomes fast forward. The implementation only 
increases the storage space by a small constant factor. 

The case that / is a permutation is of special importance and is 
easier to treat. This is done in Section [2l In Section [3] we treat the 
general case. 
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2. Making a permutation fast forward 
We recall two definitions from [3]. 

Definition 1. Assume that / is a permutation on {0, . . . , — 1}. The 

ordered cycle decomposition of / is the sequence (Cq, . . . , Q-i) consist- 
ing of all (distinct) cycles of /, such that for each j G {0, 1} 
with i < j, minCj < minCj. The ordered cycle structure of / is the 
sequence (|Co|, . . . , 

The ordered cycle decomposition of / can be computed in time A^: 
Find Co, the cycle of 0. Then find Ci, the cycle of the first element 
not in Co, etc. In particular, the ordered cycle structure of / can be 
computed in time A^. 

Definition 2. Assume that (mo, mi, . . . , m^-i) is the ordered cycle 
structure of a permutation / on {0, . . . , A^ — 1}. For each i = 0, . . . , i — 
1, let Si = mo + ■ ■ ■ + mj. The fast forward permutation coded by 
(mo, mi, ... , mi_i) is the permutation tt on {0, . . . , A^ — 1} such that 
for each x G {0, . . . , A^ — 1}, 

7r(x) = Sj + (x — Sj + 1 mod mj+i) where Si < x < Sj+i. 

In other words, vr is the permutation whose ordered cycle decomposition 
is 

TT = ( ■ ■ ■ gp - l )( go . . . gi - l )( si ...S2-1) ■ ■ ■ { S,_2-- - N -I) . 

mo mi m2 m^.i 

The assignment x i— > i(x) such that sa^x) < x < Si(x)+i can be imple- 
mented (in time A^) clS cl lookup table of size A^. As 

7r™(x) = + (x - + m mod (si(^.)+i - 

TT is fast forward. 

Coding 3. To code a given permutation / on {0, . . . , A^ — 1} as a fast 
forward permutation, do the following. 

(1) Compute the ordered cycle decomposition of /: 

/ = ( &o . . .hso-i ){ hso ■ ■ ■ hsi-i ){ hsi ■ ■ - K-i) ■ ■ ■ i K-2 ■ ■ ■bN-i) - 

mo mi m2 m£_i 

(2) Define a permutation a on {0, . . . , A^ — 1} by o"(x) = bx for each 
x = 0,...,N -1. 

(3) Store in memory the following tables: a, a^^, the list Sq, . . . , S£_i 
(where Sk = mo -!-■■■ + m^ for each k), and the assignment 
X 1-^ i{x). 
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Let TT be the fast forward permutation coded by (mo, mi, . . . , mg-i). 
Then 

f — a o TT o a~^. 

For each m and f"^{x) is equal to (T(7r™((T~^(a;))), which is computed 
by 5 invocations of the stored lookup tables and 5 elementary arith- 
metic operations (addition, subtraction, or modular reduction). We 
therefore have the following. 

Theorem 4. Every permutation f on {0, . . . , N — 1} can be coded by 
4 lookup tables of size N each, such that each evaluation /"^(x) can be 
carried using 5 invocations of lookup tables and 5 elementary arithmetic 
operations, independently of the size of m. □ 
Remark 5. 

(1) For random permutations, £ ^ logiV and therefore the total 
amount of memory is about 3A^ + log N. 

(2) Instead of storing the assignment x ^ i(x), we can compute it 
online. This is a search in an ordered list and takes log2(£) in the 
worst case. For a typical permutation this is about log2(log(A^)) 
additional operations in the worst case (e.g., for N = 2^^, this 
is about 4 additional operations per evaluation). This reduces 
the memory to 2A'" + log N. 

3. Making an arbitrary function fast forward 

We begin with a simple method, and then describe a twist of this 
method which gives better results. 

3.1. The basic approach. The language of graphs will be convenient. 
For shortness, a (partial) function / : {0, . . . , iV — 1} — >■ {0, . . . , — 1} 
will be called a (partial) function on {0, . . . , N — 1}. 

Definition 6. Let / be a partial function on {0, . . . , — 1}. The 

graph of f is the directed graph G = {V, E), where 

V = {0,...,iV-l}, 

E = {(,T, /(a;)) : X e dom(/)}. 

The orbit of an element v E V is the maximal simple tour (v, Vi, f 2, . . . , Vk) 
in G. Note that either f{vk) is undefined, or else f{vk) G {v, Vi, V2, ■ ■ ■ , v^}. 
In the latter case, we say that the orbit is a p- orbit. 

Any subgraph of a partial function /on{0,...,A^ — l}is the graph 
of some restriction of /, and in particular is the graph of some partial 
function g on {0, . . . , N — 1}. 
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Definition 7. Assume that / is a function on {0, . . . , — 1}. Tiie 
ordered orbit decomposition of / is the sequence (Cq, . . . , defined 
by: 

(1) Co is the orbit of 0. 

(2) For A; > 0, if V 7^ Co U Ci U ■ ■ ■ U Ck-i, then Ck is the orbit 
of the least element of ^ \ (Cq U • ■ ■ U Cfc_i) in the subgraph 
induced by G on the vertices in y \ (Cq U • • • U Ck-i). 

(3) i is the least k such that V — CqL) ■ ■ - [J Ck-i- 

The ordered orbit structure of / is the sequence (|Co|, . . . , |C^_i|). 

Note that the ordered orbit decomposition of a permutation is just 
its ordered cycle decomposition. Assume that (Cq, . . . , C^-i) is the 
ordered orbit decomposition of /. Clearly, (Co, . . . , C^-i) can be recon- 
structed from the concatenated sequence CqCi ■ ■ ■ C^_i together with 
the ordered orbit structure (|Co|, . . . , |C^_i|) of /. To reconstruct / 
from (Cq, . . . , C^_i), we need in addition the following information. 

Definition 8. The auxiliary sequence for an ordered orbit decompo- 
sition (Cq, . . . , C^-i) of a function / is (po, • • • ,Pt-i), where for each 
i — 0, ... ,i — 1, Pi is the position of f{vi) in the concatenated sequence 
CqCi . . . C^_i, Vi being the last element in the sequence Cj. 

Example 9. Consider the function / on {0, . . . , 6} whose graph is 

0^5^^^2^4 6 

^3^ 1 
The ordered orbit decomposition of / is 

(Co,Ci,C2) = ((0,5,2,3),(l,6),(4)), 

and the ordered orbit structure is (|Co|, |Ci|, IC2I) = (4,2,1). Cq and 
Ci arc p-orbits, whereas C2 is not. The concatenated orbits C0C1C2 
give (0, 5, 2, 3, 1, 6, 4). Now, 3 is the last element in Cq, and the position 
of /(3) = 5 in the concatenated sequence is 1. 6 is the last element 
in Ci, and the position of /(6) = 1 in the concatenated sequence is 
4. Similarly, the position of /(4) — 2 is 2, so the auxiliary sequence is 
(1,4,2). 

Definition 10. Assume that (mo, mi, . . . , m^_i) is the ordered or- 
bit structure of a function / on {0, . . . , A^ — 1}, and that the auxil- 
iary sequence is {po, ■ ■ ■ ,P£-i)- For each i = 0, 1, let Si — 
1^0 + ■ ■ ■ + rui. The fast forward function coded by (mo, mi, ... , m£_i) 
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and {po, . . . , Pe-i) is the function vr : {0, . . . , iV — 1} ^ {0, . . . , — 1} 
whose ordered orbit decomposition is 



((0 ... So - 1), (so ... si - 1), (si . . . S2 - 1), . . . , {se_2_.N__L)), 



and whose auxihary sequence is {po, ■ ■ ■ ,Pe-i)- 

Example 11. The ordered orbit structure of / in Example[9]is (4, 2, 1), 
and the auxihary sequence is (1,4,2). The fast forward function vr 
corresponding to / is that with the same auxihary sequence and whose 
ordered orbit decomposition is ((0, 1, 2, 3), (4, 5), (6)). The graph of n 
is ^ ^ 



as can be verified directly. 

Example [11] hints to the following recursive procedure to compute 
n"^{x). Again, let i{x) be such that Si(^x) < x < Si(^x)+i for each x = 



(1) Let r = m — {si(^x)+i — x). (Note that r < m.) 

(2) If r < 0, then 7r'"(a;) = x + m. 

(3) Else: 

(a) If Sj(^) < Pi(^x) then Ci(^x) is a p-orbit, and therefore 

7r™(a;) = + (r mod (si(^.)+i -Pi(xo))- 

(b) Otherwise, 7r™'(x) = T^'^{pi{x))- 

Case (b) is the only case where a recursion is made. Note that in 
this case, Pif^^) < Si(x), i-e. we descend to a previous component. We 
therefore call this descent. 

For simplicity, use the term basic operation for either a basic arith- 
metic operation, a comparison, or a lookup access. It follows that each 
descent requires less than 10 basic operations. 

Corollary 12. The complexity of evaluating tt^{x) is a constant c < 10 
times the number of descents needed until a p- orbit is reached. 

Remark 13. In the sequel, we will measure the complexity by the num- 
ber of descents. The constant c by which this should be multiplied 
(Corollary [T2!) can be made smaller by pre-computing lookup tables 

for Si(a;), pii^^), and Si(x)+i - p^x)- 





0^1 2-^6 4 




Using the auxiliary sequence we have, e.g., that 

7ri°(6) = 7r\2) = 7r^(l) = 1 + (7 mod 3) = 2 



0,...,N-1. 
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We now describe the basic method for coding / as a fast forward 
function. The running time of this transformation is a small constant 
multiple of N. 

Coding 14. Assume that / is a function on {0, . . . , N — 1}. Code / 
as follows. 

(1) Compute the ordered orbit decomposition of /: 

{{ bp.. .bsQ-i) , ( fe.Q .. . bs,-i) , ( K ■■ ■ bs2-i) , • • • , ■■■fciv-i ))- 

mo mi m2 m^_i 

(2) Define a permutation cr on {0, . . . , A?" — 1} by a{x) — bx for each 
a; = 0, . . . , - 1. 

(3) Use to compute the auxiliary sequence [po, . . . 

(4) Store in memory the following tables: a, a~^, the list Sq, . . . , 
(where Sk — mo + • • • + for each k), the auxiliary sequence 
{po, . . . ,pe-i), and the assignment x i— > i{x) (such that each 

Note that the code of / defines the fast forward function tt coded by 
(mo, . . . , m^_i) and (po, . . . ,pe-i), and that f — a ott o a^^. Thus, 

r{x) = <7(7r-(<7-^(x)) 

for each x and m. Consequently, if the maximal number of descents in 
TT is small, f^{x) can be evaluated efficiently for all m and x. 

Simulations show that for random functions /, the maximal number 
of descents in the evaluations f "\x) is around log2A^. We will give 
concrete results for a better approach in the sequel. 

3.2. An improved approach. There are pathological cases where the 
number of descents can be A". We exhibit the extreme case, with a hint 
concerning how it can be avoided. 

Example 15. Consider the function f{k) = max{0, k — 1}: 

^ 1 ^ 2 - • • • ^ (AT - 2) ^ (AT - 1) 

The ordered orbit decomposition of / is ((0), (1), (2), . . . , (A^— 1)), and 
the auxiliary sequence is (0, 0, 1, 2, . . . , A^ — 2). The ordered orbit struc- 
ture is (1, 1, ... , 1), and the corresponding fast forward function n is 
equal to /. Computing 7r'^(N — 1) for m > A" — 1 requires A" — 1 
descents. 

Now consider the function g{k) — min{A; + 1, A" — 1}: 



Q (AT - 1)^ (AT - 2) ^ ■ ■ ■ ^ 2 ^ 1 ^ 
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The ordered orbit decomposition of g is ((0, 1, 2, . . . , — 1)), and the 
auxihary sequence is (0). The ordered orbit structure is (A^), and the 
corresponding fast forward function vr is equal to g. No descents at all 
are required to compute values 7r'"(x). 

The following definition captures the improvement made in the sec- 
ond part of the last example. 

Definition 16. Assume that / is a function on {0, . . . , A^ — 1}. The 

greedy orbit decomposition of / is the sequence (Cq, . . . , C^-i) defined 
as follows, where a maximal orbit is an orbit of maximal length, and 
when there is more than one maximal orbit, we choose the one starting 
with the least point: 

(1) Co is the maximal orbit in G. 

(2) For A; > 0, if 7^ Co U Ci U ■ ■ ■ U Ck-i, then Ck is the maximal 
orbit in the subgraph induced by C on the vertices in \^ \ (Co U 
■■■UCfc_i). 

(3) £ is the least k such that = Co U ■ ■ • U Ck-i- 

The greedy orbit structure of / is the sequence (|Co|, . . . , |C£_i|). 

Remark 17. Given a graph of a function on {0, . . . , A^ — 1}, one can 
attach to each vertex the length of its orbit. This can be done in < 2A^ 
steps. After removing an orbit from the graph, only the points which 
eventually enter the orbit need to be modified. Even if we recompute 
all lengths after each removal of an orbit, the overall complexity is not 
more (and usually much less) than 



Since the procedure is done only once and offline, we do not try to 
optimize further. 

Having defined the greedy orbit decomposition of /, we can pro- 
ceed to define, with respect to it, the auxiliary sequence and the other 
definitions, as well as the coding, exactly as in Section 13. 1[ 

Example 18. Notation as in Example [151 we have that the greedy 
orbit decomposition of / is ((A^ — 1, A^ — 2, . . . , 1, 0)), the auxiliary 
sequence is (A^ — 1), and the ordered orbit structure is (A^). The fast 
forward function vr is equal to g, and no descents at all are required to 
compute values tt^{x). 

The following theorem shows that, using the greedy orbit structure, 
the maximal possible number of descents cannot be greater than about 



2A^ + 2(A^ - 1) + ■ ■ ■ + 2 ^ A^^ 




8 



BOAZ TSABAN 



Theorem 19. Assume that f is a function on {0, . . . , — 1}. Then 
the maximal number of descents in the greedy orbit structure of f is 
not greater than [{^/T+~8N - 3) /2j . 

Proof. Consider the greedy orbit structure (Co, . . . , C^-i) and auxihary 
sequence {po, . . . ,pe-i) for /. Let d be the maximal number of descents 
in this structure. Then there is a sequence io < ii < ■ ■ ■ < id such that 
for each j = 1, . . . ,d, the last member in C,^ is mapped by / to some 
member of Cj^.i- Since (Co, . . . , Ce-i) is a greedy orbit structure, we 
have that 

I ^io I ^ I I ^ ■ ■ ■ I ^id I ■ 

Indeed, for each j = 1, . . . ,d, as Ci. is not a p-orbit, the orbit in 
{V \ (Co U ■ • ■ U Cj^_^_i), E) starting with the first element of Ci. is of 
size at least |Cj.| + 1, and by the maximality of |Cj _J, we have that 

iaj + i<|c,/j. 

Consequently, for each j = 0, . . . ,d, |CiJ > d — j + 1, and therefore 

d 



N =\V\> 



j=0 



j=0 j=0 

Thus, d'^ + 3d+{2- 2N) < 0, that is. 



^ ^ -3 + - 4(2 - 2N) VI + SAT -3 ^ 

d < = . U 

- 2 2 

The bound in Theorem [19] cannot be improved. 

Example 20. Fix A^. Let d = [(Vl + 8iV - 3)/2j. Then M = {d + 
l){d + 2)/2 < N. We will define a function on {0, . . . , M - 1} whose 
greedy orbit decomposition has d descents starting at M — 1. Clearly, 
such a function can be extended to a function on {0, . . . , — 1} with 
d descents in its greedy orbit decomposition by extending the first 
component. 

Consider the function / whose greedy orbit decomposition is 

((0, 1, . . . , d), . . . , (M - 6, M - 5, M - 4), (M - 3, M - 2), (M - 1)) 

with auxiliary sequence {d,d, . . . , M— 4, M—2). There are d+1 compo- 
nents, and each component is descended into the previous component, 
so starting at the value M — 1 we have d many descents. 
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its greedy orbit decomposition is ((0, 1, 2, 3), (4, 5, 6), (7, 8), (9)) and the 
auxihary sequence is (3,3,6,8). Computing /^(9) requires 3 descents. 

Note that Example [20] has an orbit decomposition with at most one 
descent. E.g., in the case c? = 3 we can take ((9, 8, 6, 3), (0, 1, 2), (4, 5), (7)) 
with auxihary sequence (3, 3, 2, 1). 

This suggests that in Definition [16], when we have more than one 
maximal orbit, we should try all possibilities. This way, the algorithm 
becomes exponential. We have tried a randomized approach which 
broke ties using coin flips. It did not give significantly better results. 
We would be glad but surprised if the answer to the following would 
turn out positive. 

Problem 21. Does there exist an efficient algorithm to find, for a 
given function f on {0, . . . ,N — 1}, an orbit decomposition for which 
the maximal number of descents is as small as it can be for f ? 

3.3. The random case. The random case, and presumably most of 
the cases encountered in practice, behaves much better than is provable 
for the worst case. For each = 2^, 2^, ... , 2^*^, we have sampled 100 
random functions on {0, . . . , — 1}. For these, we have computed 
the maximum and average number of descents. The results appear 
in Figure [1] Figure [1] contains three increasing and one decreasing 
graphs. Among the increasing graphs, the uppermost is just logg A^, the 
intermediate graph is the maximum number of descents encountered 
for each A^, and the lowest is the average number of descents. The 
decreasing graph is logg A^ divided by the average number of descents. 

An interesting observation is that none of the samples contained a 
point with more than log2 A^ many descents. This should be contrasted 
with Example [20l and suggests that the cases in which the complex- 
ity of evaluating can be larger than about log2 A^ are indeed 
pathological. 

Another observation, which is of great practical interest, is supplied 
by the decreasing graph: It shows that for the checked values of A^, 
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Figure 1 . Number of descents in the random case. 



and presumably for all practical values of N ^ the average number of 
descents is about (log2 A^)/5 or less. Recall from Corollary WI\ and the 
remark after it, that the overall complexity is a small multiple of this 
number. 



We conclude the paper by demonstrating that the mere consideration 
of average complexity rather than maximal complexity does not suffice 
to obtain the logarithmic phenomenon which we encountered in the 
random case. 



Example 22. Consider the function / described in Example [20], and 
assume that (vT+8iV — 3)/2 is an integer (otherwise the following 
is only approximate). In this case, d is equal to this number, and 

{d+l){d + 2) = 2N. 
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The average number of descents for / is times 



l-d + 2-{d-l) + --- + d-l = 



d d d 




1=1 i=l i=l 



{d+l){l + d)d d{d+l){2d+l) 



2 6 



d{d+l){d + 2) d 



6 ^''-l- 



Thus, the average number of descents in / is d/3 (which is roughly 



4. Conclusions, improvements, and open problems 

We have shown that every lookup table T of size N can be coded by 
cN elements where c is a small constant, such that computations of the 
form T"^{x) — the mth iterate of T at x — can be done efficiently. The 
efficiency is measured in the number of recursions (descents) which our 
algorithm performs. 

In the case that T is a permutation, no recursions are needed. When 
T is a general function, we can have up to y/2N recursions but not more 
than that, and if T is random, then the number of recursions reduces to 
about (log2A^)/5. The last assertion was only verified experimentally, 
and a rigorous explanation of this reduction from 0{\fN) to 0(log A^) 
in the random case would be interesting. 

In a work in progress with Yossi Oren, we introduce another heuris- 
tic for the decomposition of graphs of functions. For this heuristic, the 
maximal number of descents reduces to log2 N (which is optimal with 
respect to the worst-case behavior). There are still cases where the 
heuristic described in the current paper outperforms the newer heuris- 
tic, though. 

The task of finding a heuristic approach which reduces the aver- 
age number of recursions in the computations T"^[x) to less than our 
(log2 A^)/5 seems to be of great practical interest. 
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